[Javascript] ssi, layers, table alternative to frames

Andrew Gibson andyg at ihug.co.nz
Mon Apr 14 19:23:17 CDT 2003


is that because the SSI's files themselves aren't protected, even when the
main page that includes them is?

Andrew Gibson

>
> As an added downside of SSI's -- they are NOTORIOUSLY insecure.  When I
first
> started honing my teeth on browser exploits for my computer security
training,
> the very start of the discussion was on the many easy and exciting ways to
> crack a system that had SSI's in place and operational.  Although I've
forgotten
> much of what I learned during that series of CSI seminars, the frightening
> simplicity of the exploits involved still sends shivers up my spine --
particularly
> when I hear well-meaning folks relying on those self-same server-side
includes
> today.  (Sort of the same frisson I get from finding someone enabling
anonymous
> FTP on a host that doesn't have backwards-path exclusion turned on).
>
> When I look through the latest Apache "Black Book", it still warns against
enabling
> SSI's except for the simplest of things.  Most military and government
systems
> have a flat-out edict against SSI's, period -- for precisely that reason.
Next to
> buffer-overflow exploits, SSI's are a hacker's (oops! I mean a
"cracker's") best
> friend.
>





More information about the Javascript mailing list